Cisco SD-WAN zero-day gives attackers root access
The useful part is not the zero-day label; it is that SD-WAN managers sit where normal endpoint telemetry barely reaches.
TL;DR
Mandiant told CyberScoop that attackers exploited Cisco Catalyst SD-WAN Manager flaws, including CVE-2026-20245, to compromise an unnamed communications service provider and create a rogue root-level account. Cisco has patched the flaw. Federal Civilian Executive Branch agencies already face CISA Emergency Directive 26-03 duties to inventory, update and assess Cisco SD-WAN systems; contractors are outside the directive, but not outside the blast radius.
Mandiant’s finding is ugly in the way edge-device compromises are usually ugly: the attacker did not need to win every workstation. According to CyberScoop, the actor used Cisco Catalyst SD-WAN Manager vulnerabilities to get into an unnamed communications service provider, then used CVE-2026-20245 in March to create a rogue user account, “troot,” with full root-level control. Cisco has since patched the flaw.
The practical problem is for defenders who treat SD-WAN infrastructure like plumbing rather than a control plane. Mandiant said the attacker could have gained broad, undetected visibility into internal traffic across the provider’s corporate network, but could not fully assess the scope because the actor removed evidence. That caveat matters. It is not comfort; it is the reason the incident response answer cannot stop at “patch applied.”
CISA already put Cisco SD-WAN exploitation into federal emergency-directive territory. Its ED 26-03 supplemental guidance says Federal Civilian Executive Branch agencies must identify, update and assess potentially compromised in-scope Cisco SD-WAN systems, and report indicators of compromise or unusual activity to CISA, while urging other organizations to use the same hunt and hardening guidance: https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems. CISA’s broader alert also says agencies must inventory Cisco SD-WAN systems, update them and assess compromise under ED 26-03: https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems.
For federal contractors and service providers, the Monday work is narrower and harder than reading another advisory. Find every Cisco SD-WAN Manager instance, confirm fixed software, preserve logs and snapshots before they roll off, and hunt for rogue peering, account manipulation and unexpected configuration pushes. The directive may not apply to contractors by its own terms, but a compromised control plane does not care which procurement clause is on the order form.
Published ·Deep Fathom